The Ontario Government agency has taken steps to guarantee the security of its backup tape systems that hold sensitive health information.

Each day this information criss-crosses the SSHA technology infrastructure that links more than 80 per cent of Ontario’s hospitals.

As thousands of health care providers across the province access the SSHA network, the Agency constantly strives to enhance the security of the network and data residing on it.

The latest milestone in this process is SSHA’s selection of the Assurency SecureData solution from Mississauga, Ont.-based solutions provider Kasten Chase to guarantee the security of its backup tapes.

Michael Milligan, president and CEO of Kasten Chase, said many organizations are becoming aware of the security risks associated with the backup procedure and are moving toward encrypting backup data. “The most pressing is the tape application,” he said. “In most cases when tapes are moved out of the data centre, they are taken to offsite storage, so organizations want those tapes to be encrypted before they leave the data centre.”

According to Milligan, the solution encrypts data as it is being saved from the application server on to storage media.

“Our typical solution is to put our own crypto accelerator card in an application server. The application server and the storage device are both authenticated by an appliance that sits on the network outside of the application server for security purposes, and the encryption keys are also managed centrally by the appliance.”

After data is saved from the application server and authenticated by the appliance, the crypto accelerator card encrypts the data and sends it to the authenticating storage device, Milligan said.

In SSHA’s case, sensitive health data would be encrypted as it is backed up on to tape libraries.

Linda Weaver, SSHA’s chief technology officer, said the biggest technology challenge dogging health care is privacy, of which security is a component. “Privacy issues continue to evolve and grow, and privacy law is really starting to get practiced and integrated into operating environments. We want to continue to work hard and make sure our security technologies fit in with privacy laws,” which include the Personal Information Protection and Electronic Documents Act.

The fact that privacy regulations are relatively new means the SSHA will have to work closely with vendors and discuss the implications of those laws on data protection, “at a really day-to-day, feet-on-the-ground level,” Weaver said. “Law is law, but how to implement systems within the law is a whole different set of discussions.”

Another challenge, said Milligan, is making sure privacy is protected over a long period of time. “Retention requirements for this kind of information are quite extensive, so we have to ensure the strength of the encryption for a long time. Some means of encryption might not stand the test of time,” he said, citing Data Encryption Standard (DES) as one example of popular standard that fell out of favour as computers got progressively more powerful, making it easier to breach DES algorithms.

The Assurency SecureData solution uses two kinds of encryption technologies: the advanced encryption standard (AES), which offers 128 or 256-bit encryption, as well as elliptic curve cryptography to encrypt the encrypting keys for another layer of security.

All of those keys are managed and protected in the appliance, Milligan said.